security:authorize tags not working

**auditty** · Nov 25th, 2009, 01:31 PM

In my roo-generated project I set up spring security so people can log in (still have the default admin and user users)

I have used security:authorize tags before and all I had to add to my jsp was
<%@ taglib prefix="security" uri="http://www.springframework.org/security/tags" %>
at the top and then throw security:authorize tags around stuff on my page. It works like a charm in my regular hand-crafted spring 2.5 webapp.

I can't add that to my jspx files that roo generated, but I found a line in the default.jspx a line like this
xmlns:security="http://www.springframework.org/schema/security"
so I figured I could add that to the top of my menu.jspx and throw security tags around menu options so they won't show up except for admins

Here is the top of my menu.jspx

Code:

<ul xmlns:c="http://java.sun.com/jsp/jstl/core" 
xmlns:security="http://www.springframework.org/schema/security" 
xmlns:spring="http://www.springframework.org/tags" id="roo_menu">
	<security:authorize ifAllGranted="ROLE_ADMIN">
		<li id="web_mvc_jsp_interest_category">
		<h2>interest</h2>
		<ul>
			<li id="web_mvc_jsp_create_interest_menu_item">
                    <c:url value="/interest/form" var="web_mvc_jsp_create_interest_menu_item_url"/> <a href="${web_mvc_jsp_create_interest_menu_item_url}"> <spring:message arguments="Interest" code="global.menu.new"/> </a>
                </li>
			<li id="web_mvc_jsp_list_interest_menu_item">
                    <c:url value="/interest?page=${empty param.page ? 1 : param.page}&amp;amp;size=${empty param.size ? 10 : param.size}" var="web_mvc_jsp_list_interest_menu_item_url"/> <a href="${web_mvc_jsp_list_interest_menu_item_url}"> <spring:message arguments="Interests" code="global.menu.list"/> </a>
                </li>
		</ul>
		</li>
	</security:authorize>

Problem is when I run my app those security tags get left in the source and of course, all the stuff inside still gets shown to everyone.

It seems like I am missing something I read on the internets somewhere that this can happen if your filters are in the wrong order. Here are my filters and filter mappings from web.xml:

Code:

 <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

    <filter>
        <filter-name>Spring OpenEntityManagerInViewFilter</filter-name>
        <filter-class>org.springframework.orm.jpa.support.OpenEntityManagerInViewFilter</filter-class>
    </filter>
    
	<filter>
		<filter-name>etagFilter</filter-name>
		<filter-class>org.springframework.web.filter.ShallowEtagHeaderFilter</filter-class>
	</filter>

	<filter>
		<filter-name>CharacterEncodingFilter</filter-name>
		<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
		<init-param>
			<param-name>encoding</param-name>
			<param-value>UTF-8</param-value>
		</init-param>
		<init-param>
			<param-name>forceEncoding</param-name>
			<param-value>true</param-value>
		</init-param>
	</filter>

	<filter>
		<filter-name>httpMethodFilter</filter-name>
		<filter-class>org.springframework.web.filter.HiddenHttpMethodFilter</filter-class>
	</filter>

	<filter>
		<filter-name>UrlRewriteFilter</filter-name>
		<filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>
	</filter>
    
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

	<filter-mapping>
        <filter-name>Spring OpenEntityManagerInViewFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    <filter-mapping>
		<filter-name>etagFilter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>

	<filter-mapping>
		<filter-name>CharacterEncodingFilter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>

	<filter-mapping>
		<filter-name>httpMethodFilter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>

	<filter-mapping>
		<filter-name>UrlRewriteFilter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>

Any tips? What am I missing?

**Stefan Schmidt** · Nov 25th, 2009, 07:06 PM

I just tried this for the first time as well and it turns out you are using the wrong namespace URI. The correct one would be:

Code:

xmlns:security="http://www.springframework.org/security/tags"

This works for me. Let me know if you have any further issues.

Cheers,
Stefan

**auditty** · Nov 30th, 2009, 01:30 PM

I fixed the url, but the security tags are still not working. They don't get stripped out either, they are just sitting there. When I view source i can see them and all of the content inside of them is visible to the world.

**auditty** · Nov 30th, 2009, 02:22 PM

Here is my menu.jspx

Code:

<ul xmlns:c="http://java.sun.com/jsp/jstl/core" xmlns:security="http://www.springframework.org/security/tags" xmlns:spring="http://www.springframework.org/tags" id="roo_menu">
	<security:authorize ifAllGranted="ROLE_ADMIN">
		<li id="web_mvc_jsp_interest_category">
		<h2>interest</h2>
		<ul>
			<li id="web_mvc_jsp_create_interest_menu_item">
                    <c:url value="/interest/form" var="web_mvc_jsp_create_interest_menu_item_url"/> <a href="${web_mvc_jsp_create_interest_menu_item_url}"> <spring:message arguments="Interest" code="global.menu.new"/> </a>
                </li>
			<li id="web_mvc_jsp_list_interest_menu_item">
                    <c:url value="/interest?page=${empty param.page ? 1 : param.page}&amp;amp;size=${empty param.size ? 10 : param.size}" var="web_mvc_jsp_list_interest_menu_item_url"/> <a href="${web_mvc_jsp_list_interest_menu_item_url}"> <spring:message arguments="Interests" code="global.menu.list"/> </a>
                </li>
		</ul>
		</li>
	</security:authorize>
	<li id="web_mvc_jsp_researcher_category">
	<h2>researcher</h2>
	<ul>
		<li id="web_mvc_jsp_create_researcher_menu_item">
                <c:url value="/researcher/form" var="web_mvc_jsp_create_researcher_menu_item_url"/> <a href="${web_mvc_jsp_create_researcher_menu_item_url}"> Sign up! </a>
		</li>
		<li id="web_mvc_jsp_list_researcher_menu_item">
                <c:url value="/researcher?page=${empty param.page ? 1 : param.page}&amp;amp;size=${empty param.size ? 10 : param.size}" var="web_mvc_jsp_list_researcher_menu_item_url"/> <a href="${web_mvc_jsp_list_researcher_menu_item_url}"> <spring:message arguments="Researchers" code="global.menu.list"/> </a>
            </li>
		<li id="finder_findresearchersbyinterests_menu_item">
                <c:url value="/researcher/find/ByInterests/form" var="finder_findresearchersbyinterests_menu_item_url"/> <a href="${finder_findresearchersbyinterests_menu_item_url}"> Search
		for Research Collaborators </a>
            </li>
	</ul>
	</li>
</ul>

**auditty** · Nov 30th, 2009, 03:48 PM

I noticed that on my other, non-roo spring project we have a jar called spring-security-taglibs-2.0.1.jar

I don't see anything like that in my roo project...

**Stefan Schmidt** · Nov 30th, 2009, 07:26 PM

Indeed, without the tag library in your classpath the Spring Security tags will not work. Which version of Roo are you using? The tag library should be installed by default. If not just make sure this is in your pom:

Code:

    <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>org.springframework.security.core</artifactId>
            <version>3.0.0.RC1</version>
        </dependency>
    <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>org.springframework.security.config</artifactId>
            <version>3.0.0.RC1</version>
        </dependency>
    <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>org.springframework.security.web</artifactId>
            <version>3.0.0.RC1</version>
        </dependency>
    <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>org.springframework.security.taglibs</artifactId>
            <version>3.0.0.RC1-A</version>
    </dependency>

HTH,
Stefan

**auditty** · Dec 1st, 2009, 08:13 AM

I am using 1.0.0.RC2 [rev 321] now. I think that is the same version I was using when I created this project. Although I remember entering the security setup command and that doesn't seem to be an option now...

**auditty** · Dec 1st, 2009, 08:19 AM

I added those dependencies (core was already there, although an earlier version)

Now my app won't start and the error says:

Code:

Caused by: org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'org.springframework.security.authenticationManager' is defined: Did you forget to add an <authentication-manager> element to your configuration (with child <authentication-provider> elements) ?
	at org.springframework.security.config.authentication.AuthenticationManagerFactoryBean.getObject(AuthenticationManagerFactoryBean.java:31)
	at org.springframework.security.config.authentication.AuthenticationManagerFactoryBean.getObject(AuthenticationManagerFactoryBean.java:21)
	at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:143)
	... 33 more

Here is my security context file:

Code:

<?xml version="1.0" encoding="UTF-8"?>

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">

    <http auto-config="true">
    	<form-login login-processing-url="/static/j_spring_security_check" login-page="/login" authentication-failure-url="/login?login_error=t"/>
        <logout logout-url="/static/j_spring_security_logout"/>
        <intercept-url pattern="/admin/**" access="ROLE_ADMIN"/>
        <intercept-url pattern="/researcher/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
        <intercept-url pattern="/interest/**" access="ROLE_ADMIN"/>
        <intercept-url pattern="/member/**" access="IS_AUTHENTICATED_REMEMBERED" />
        <intercept-url pattern="/resources/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <intercept-url pattern="/static/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    </http>
    
    <authentication-provider>
    	<!-- SHA-256 values can be produced using 'echo -n your_desired_password | sha256sum' (using normal *nix environments) -->
    	<password-encoder hash="sha-256"/>
        <user-service>
            <user name="admin" password="8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918" authorities="ROLE_ADMIN"/>
	        <user name="user" password="04f8996da763b7a969b1028ee3007569eaf3a635486ddab211d512c85b9df8fb" authorities="ROLE_USER"/>
	    </user-service>
	</authentication-provider>
</beans:beans>

That is basically what was auto-generated for me except that I added some intercept url patterns.

**bliu72** · Dec 14th, 2009, 12:34 AM

I have observed same behavior, I have

<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>org.springframework.security.core</artifactId>
<version>3.0.0.RC1</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>org.springframework.security.config</artifactId>
<version>3.0.0.RC1</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>org.springframework.security.web</artifactId>
<version>3.0.0.RC1</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>org.springframework.security.taglibs </artifactId>
<version>3.0.0.RC1-A</version>
</dependency>

xmlns:security="http://www.springframework.org/security/tags"

and

<security:authorize ifAllGranted="ROLE_ADMIN">
some text
</security:authorize>

and I do have org.springframework.security.taglibs-3.0.0.RC1-A.jar in the WAR/WEB-INF/lib directory.

thanks

**Stefan Schmidt** · Dec 14th, 2009, 12:44 AM

It seems you have setup everything correctly. Can you enable DEBUG logging for Spring Security to see what is happening (use 'logging setup --level DEBUG --package SECURITY')? Also, since we are not doing anything specific in terms of using Spring Security in Roo generated projects it might make sense to ask in the Spring Security forum if anyone there as come across your issue.

Cheers,
Stefan

Thread: security:authorize tags not working

Thread Tools

Display

security:authorize tags not working

Observed same behavior

Posting Permissions